I found a few topics from the earlier Hive Manger (pre-NG even) days that explained on how to use Radius authentication to allow devices with a domain certificate to join a domain.
However, the way it was described, it sounded as if the devices all had the same issued certificate, and were part of a certain OU in the AD domain, they would be able to join.
What we need though is the same authentication from the wireless side that we are currently running on our switches on the wired side of things.
This means, that when a client computer connects to the networkt, its individual device certificate is probed. These individual, AD-issued certificates are checked by the Windows Radius Server that is part of the domain, and then, if they exist and are valid, the machine may enter the correct VLAN and get an IP from there. Otherwise, it will be put into the public lan with device isolation and bare minimum internet access.
Until now, we only had a user-based authentication working in tandem with the HiveManager NG / Extreme Cloud IQ. All attempts to use our Radius server rules that work for lan-based ports on the wireless side of things have not been met with any success.
Is there a guide for Aerohive/Extreme Networks devices on how to set this up on an on-premise installation of the Extreme Cloud IQVA?
Best answer by tobias.protz
Just a quick followup: We have been contacted by our installation partner, and they were very helpful. We hope that we have identified the problem, it was a little hiccup easy to miss when switching from (working) client based auth to device based:
We had all the users in an access control list on the AD, but when we switched to client based auth via certificate, we did not put the clients in another acl to auth against this, instead the old user acl was left in place. We tried directly using the OU as a reference in which the client machines reside, but this didn’t work.
I hope that fixing this will fix the problem, and basically enable us to run the same settings for access via cable and wireless networks for all machines.
Thanks a lot!